ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-103 All Questions

View all questions & answers for the AZ-103 exam
Go to Exam

Exam AZ-103 topic 1 question 11 discussion

Actual exam question from Microsoft's AZ-103
Question #: 11
Topic #: 1
[All AZ-103 Questions]

HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resource within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
by akamal at May 6, 2020, 9:07 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
akamal
Highly Voted 5 years, 1 month ago
i'm sorry it looks the existing answer is correct , it's "microsoft.authorization"
upvoted 37 times
...
kaviraj
Highly Voted 5 years ago
Subcriptions/SubscriptionID level only and Authorization after testing. You cannot add /resourcegroups as it gives an error.
upvoted 18 times
LowerSouth
5 years ago
"Allows the ... creating ... of resource WITHIN the resource groups" Allowing the creation of a RG is not a requirement
upvoted 1 times
...
praveen97
4 years, 12 months ago
Agree with kaviraj. '/subscriptions/SubscriptionID/resourceGroups/' will give error since it is looking for a specific resource group name here. First answer should be /subscriptions/SubscriptionID Second answer is correct. It is Microsoft.Authorization/*
upvoted 8 times
...
...
Neonlight8
Most Recent 4 years, 4 months ago
Answer is correct because it is granted by subtracting the NotActions operations. https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/2-rbac-overview
upvoted 1 times
...
I
4 years, 4 months ago
The Answer is correct. First one should contain subscription/ID/resource group. The last one is not actions: [here should be Microsoft Authorization], which means the role only can modify resources but assign no roles.
upvoted 1 times
...
Ibelieve
4 years, 5 months ago
CR1 Can be assigned only to the resource groups in Subscription1 Should including /resourceGroups. So Answer is right. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 1 times
...
mikewallace8372
4 years, 5 months ago
answer is correct
upvoted 1 times
...
JustMe84
4 years, 6 months ago
this is an example of what it should look like when it is completed: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network”
upvoted 3 times
...
JustMe84
4 years, 6 months ago
For the first part, its wrong. This is directly out of the Microsoft Authorized Trainer book: * /subscriptions/[subscription id] * /subscriptions/[subscription id]/resourceGroups/[resource group name] * /subscriptions/[subscription id]/resourceGroups/[resource group name]/ [resource] The second answer to the first part is incomplete, it is missing the actual resource group name.
upvoted 3 times
...
aryise
4 years, 6 months ago
Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization”
upvoted 6 times
Wasiff
4 years, 3 months ago
Does 104 has labs in exam?
upvoted 1 times
...
...
Thi
4 years, 8 months ago
First wrong should be without resource group name 2nd correct
upvoted 1 times
...
challengelogic
4 years, 9 months ago
This whole question is simply nonsense and doesnt match any kind of answer. You cannot add a scope to ResourceGroups - only a Subscription OR a specific RG. Also the permissions given all you to access to all "*" resource types, not just RGs. This question must be written incorrectly.
upvoted 1 times
...
NameIsNick
4 years, 10 months ago
Adding "resourcegroups/*" I was able to save the JSON "roleName": "CR1", "description": "CR1", "assignableScopes": [ "/subscriptions/xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx/resourcegroups/*" ],
upvoted 3 times
hstorm
4 years, 10 months ago
Agree - The answer is missing the "/*", but to ensure it can only be applied to Resourcegroups i would go for the original answer
upvoted 2 times
JBinuya
4 years, 4 months ago
So the given answer for box1 is correct only that it needs the additional "/*" at the end to make it a proper answer?
upvoted 1 times
...
...
...
bnair
4 years, 11 months ago
scope is incorrect. /subscriptions/<subscription ID>/resourceGroups/<RG name> would work However just /subscriptions/<subscription ID>/resourceGroups will throw invalid error.
upvoted 4 times
...
LTTAM
4 years, 12 months ago
Just tried creating a custom RBAC for the scenario. First answer is incorrect. It should be /subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e. There is no option for /ResourceGroup as other people have commented. Second answer is correct. Here is a better link & explanation on custom RBAC - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
upvoted 12 times
...
goape
5 years ago
The first box is incorrect as you must specify resources that currently exist. Entering 'ResourceGroups' when there is not resource with this name will incur an error. You will set the scope at the sub level.
upvoted 4 times
...
paulosrsf
5 years ago
Rarodrig and kaviraj are correct. The given answer is incorrect. The first option doesn't need the /ResourceGroups. It should be /subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e. The second one is correct.
upvoted 5 times
Novix
5 years ago
Requirement is it can only be assigned to resource groups in the subscription so the assignable scope needs resourceGroups. Resource groups are an option:Click Add assignable scopes to select the scopes (subscriptions or resource groups). Example: /subscriptions/hfhfhfhfh-4bcd-9652-fjhhdjdjdkkdh/resourceGroups/WestUS
upvoted 3 times
paulosrsf
5 years ago
Novix, what you said is correct. But it gives the wrong answer to the question. The question states "Prevents the management of the access permissions for the resource groups". So, to apply the permission to all resource groups, whichever they are, the scope needs to be Subscription. Your example applies only to one resource group, specificaly.
upvoted 1 times
_syamantak
4 years, 11 months ago
Doesn't choosing " /subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e." makes this RBAC policy applicable to any resource within the subscription? The first clause is that it can be assigned only to the ***"resource groups"*** in Subscription1
upvoted 1 times
...
...
...
...
PM2
5 years, 1 month ago
I got in exam
upvoted 12 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel